1
0
forked from infra/ansible

mail: use rspamd with automatic learning using sieve + managesieve

This commit is contained in:
Kishi85 2019-07-15 12:17:09 +02:00
parent 4eb0403e32
commit 6b67a836e9
30 changed files with 333 additions and 272 deletions

View File

@ -1,34 +0,0 @@
# /etc/default/spamassassin
# Duncan Findlay
# WARNING: please read README.spamd before using.
# There may be security risks.
# If you're using systemd (default for jessie), the ENABLED setting is
# not used. Instead, enable spamd by issuing:
# systemctl enable spamassassin.service
# Change to "1" to enable spamd on systems using sysvinit:
ENABLED=0
# Options
# See man spamd for possible options. The -d option is automatically added.
# SpamAssassin uses a preforking model, so be careful! You need to
# make sure --max-children is not set to anything higher than 5,
# unless you know what you're doing.
OPTIONS="--create-prefs --max-children 5 --helper-home-dir"
# Pid file
# Where should spamd write its PID to file? If you use the -u or
# --username option above, this needs to be writable by that user.
# Otherwise, the init script will not be able to shut spamd down.
PIDFILE="/var/run/spamd.pid"
# Set nice level of spamd
#NICE="--nicelevel 15"
# Cronjob
# Set to anything but 0 to enable the cron job to automatically update
# spamassassin's rules on a nightly basis
CRON=1

View File

@ -0,0 +1,2 @@
#!/bin/sh
exec /usr/bin/rspamc learn_ham

View File

@ -0,0 +1,2 @@
#!/bin/sh
exec /usr/bin/rspamc learn_spam

View File

@ -0,0 +1,5 @@
require ["fileinto","mailbox"];
if header :contains "X-Spam" "Yes" {
fileinto :create "INBOX.Junk";
}

View File

@ -0,0 +1,2 @@
require ["vnd.dovecot.pipe", "copy", "imapsieve"];
pipe :copy ".learn-ham.sh";

View File

@ -0,0 +1,2 @@
require ["vnd.dovecot.pipe", "copy", "imapsieve"];
pipe :copy ".learn-spam.sh";

View File

@ -1,14 +0,0 @@
# For a fully commented sample config file see policyd-spf.conf.commented
debugLevel = 1
defaultSeedOnly = 1
HELO_reject = No_Check
Mail_From_reject = False
Mail_From_pass_restriction = OK
PermError_reject = False
TempError_Defer = False
skip_addresses = 127.0.0.0/8,::ffff:127.0.0.0/104,::1/128

View File

@ -0,0 +1,60 @@
bind 127.0.0.1 ::1
protected-mode yes
port 6379
tcp-backlog 511
timeout 0
tcp-keepalive 300
daemonize yes
supervised no
pidfile /var/run/redis/redis-server.pid
loglevel notice
logfile /var/log/redis/redis-server.log
databases 16
always-show-logo yes
save 900 1
save 300 10
save 60 10000
stop-writes-on-bgsave-error yes
rdbcompression yes
rdbchecksum yes
dbfilename dump.rdb
dir /var/lib/redis
slave-serve-stale-data yes
slave-read-only yes
repl-diskless-sync no
repl-diskless-sync-delay 5
repl-disable-tcp-nodelay no
slave-priority 100
maxmemory 500mb
maxmemory-policy volatile-lru
lazyfree-lazy-eviction no
lazyfree-lazy-expire no
lazyfree-lazy-server-del no
slave-lazy-flush no
appendonly yes
appendfilename "appendonly.aof"
appendfsync everysec
no-appendfsync-on-rewrite no
auto-aof-rewrite-percentage 100
auto-aof-rewrite-min-size 64mb
aof-load-truncated yes
aof-use-rdb-preamble no
lua-time-limit 5000
slowlog-log-slower-than 10000
slowlog-max-len 128
latency-monitor-threshold 0
notify-keyspace-events ""
hash-max-ziplist-entries 512
hash-max-ziplist-value 64
list-max-ziplist-size -2
list-compress-depth 0
set-max-intset-entries 512
zset-max-ziplist-entries 128
zset-max-ziplist-value 64
hll-sparse-max-bytes 3000
activerehashing yes
client-output-buffer-limit normal 0 0 0
client-output-buffer-limit slave 256mb 64mb 60
client-output-buffer-limit pubsub 32mb 8mb 60
hz 10
aof-rewrite-incremental-fsync yes

View File

@ -0,0 +1,9 @@
clamav {
servers = "/var/run/clamav/clamd.ctl";
symbol = "CLAMAV_VIRUS";
attachments_only = false;
patterns {
JUST_EICAR = nan; #Disable EICAR handling
}
action = "reject";
}

View File

@ -0,0 +1,3 @@
backend = "redis";
new_schema = true;
expire = 8640000;

View File

@ -0,0 +1,2 @@
expire=30d;
timeout=120s;

View File

@ -0,0 +1,4 @@
type = "file";
filename = "/var/log/rspamd/rspamd.log";
level = "notice";
debug_modules = ["antivirus","dkim_signing","arc","greylist","fuzzy_check"];

View File

@ -0,0 +1,2 @@
use = ["authentication-results","x-spam-status","x-spam-level","x-spamd-bar", "x-spamd-result", "x-rspamd-server","x-rspamd-queue-id"];
authenticated_headers = ["authentication-results"];

View File

@ -0,0 +1,14 @@
rbls {
nixspam {
symbol = "RBL_NIXSPAM";
rbl = "ix.dnsbl.manitu.net";
ipv4 = true;
ipv6 = true;
}
gbudb {
symbol = "RBL_GBUDB";
rbl = "truncate.gbudb.net";
ipv4 = true;
ipv6 = true;
}
}

View File

@ -0,0 +1,10 @@
symbols = {
"RBL_GBUDB" {
weight = 4.0;
description = "From address is listed in GBUDB BL";
}
"RBL_NIXSPAM" {
weight = 4.0;
description = "From address is listed in NIXSPAM BL";
}
}

View File

@ -0,0 +1,2 @@
write_servers = "127.0.0.1";
read_servers = "127.0.0.1";

View File

@ -0,0 +1,3 @@
password = "$2$tgahjcep7dkczanwry7hnyozswpbi9fx$f6acdtn47w35sek85znopneeko7fp8gmamnxxaf31ryo18dp333y";
enable_password = "$2$tgahjcep7dkczanwry7hnyozswpbi9fx$f6acdtn47w35sek85znopneeko7fp8gmamnxxaf31ryo18dp333y";
bind_socket = "localhost:11334";

View File

@ -0,0 +1,2 @@
bind_socket = "localhost:11333";
count = 1;

View File

@ -0,0 +1,7 @@
bind_socket = "localhost:11332";
milter = yes;
timeout = 120s;
upstream "local" {
default = yes;
self_scan = yes;
}

View File

@ -1,8 +1,4 @@
--- ---
- name: Restart amavis
service: name=amavis state=restarted
- name: Restart dovecot - name: Restart dovecot
service: name=dovecot state=restarted service: name=dovecot state=restarted
@ -12,8 +8,11 @@
- name: Restart postfix - name: Restart postfix
service: name=postfix state=restarted service: name=postfix state=restarted
- name: Restart postgrey - name: Restart redis
service: name=postgrey state=restarted service: name=redis state=restarted
- name: Restart rspamd
service: name=rspamd state=restarted
- name: Run acertmgr - name: Run acertmgr
command: /opt/acertmgr/acertmgr.py command: /opt/acertmgr/acertmgr.py

View File

@ -1,4 +1,13 @@
--- ---
- name: add an apt rspamd key
apt_key:
url: https://rspamd.com/apt-stable/gpg.key
state: present
- name: add rspamd repository
apt_repository:
repo: deb http://rspamd.com/apt-stable/ {{ ansible_distribution_release }} main
state: present
- name: Install packages - name: Install packages
apt: name={{ item }} apt: name={{ item }}
@ -7,6 +16,7 @@
- bsd-mailx - bsd-mailx
- dovecot-core - dovecot-core
- dovecot-imapd - dovecot-imapd
- dovecot-lmtpd
- dovecot-ldap - dovecot-ldap
- dovecot-managesieved - dovecot-managesieved
- dovecot-sieve - dovecot-sieve
@ -14,11 +24,9 @@
- mailman - mailman
- postfix - postfix
- postfix-ldap - postfix-ldap
- postfix-policyd-spf-python - redis-server
- postgrey - redis-tools
- pyzor - rspamd
- razor
- spamassassin
- name: Create vmail group - name: Create vmail group
group: name=vmail gid=500 state=present group: name=vmail gid=500 state=present
@ -26,19 +34,41 @@
- name: Create vmail user - name: Create vmail user
user: name=vmail group=vmail uid=500 createhome=yes home=/var/vmail shell=/bin/false state=present user: name=vmail group=vmail uid=500 createhome=yes home=/var/vmail shell=/bin/false state=present
- name: Configure amavis
template: src={{ item }}.j2 dest=/etc/{{ item }}
with_items:
- amavis/conf.d/15-content_filter_mode
- amavis/conf.d/50-user
notify: Restart amavis
- name: Create dovecot ssl directory - name: Create dovecot ssl directory
file: path=/etc/dovecot/ssl state=directory mode=0750 owner=dovecot group=dovecot file: path=/etc/dovecot/ssl state=directory mode=0750 owner=dovecot group=dovecot
- name: Create dovecot log directory - name: Create dovecot log directory
file: path=/var/log/dovecot state=directory mode=0750 owner=vmail group=vmail file: path=/var/log/dovecot state=directory mode=0750 owner=vmail group=vmail
- name: Create vmail sieve directory
file: path=/var/vmail/.sieve state=directory mode=0750 owner=vmail group=vmail
- name: Copy redis config
copy: src=redis.conf dest=/etc/redis/redis.conf
notify: Restart redis
- name: Copy static rspamd config
copy: src={{ item }} dest=/etc/rspamd/local.d/
notify: Restart rspamd
with_fileglob: "rspamd/local.d/*"
- name: Render rspamd config templates
template: src=rspamd/local.d/{{ item }}.j2 dest=/etc/rspamd/local.d/{{ item }}
notify: Restart rspamd
loop:
- "options.inc"
- "arc.conf"
- "dkim_signing.conf"
- name: Copy spam learn/unlearn sieve and shell scripts
copy: src=dovecot/{{ item }} dest=/var/vmail/.sieve/.{{ item }}
with_items:
- learn-spam.sh
- learn-ham.sh
- move-spam.sieve
- report-spam.sieve
- report-ham.sieve
- name: Configure dovecot - name: Configure dovecot
template: src={{ item }}.j2 dest=/etc/{{ item }} template: src={{ item }}.j2 dest=/etc/{{ item }}
with_items: with_items:
@ -46,6 +76,19 @@
- dovecot/local.conf - dovecot/local.conf
notify: Restart dovecot notify: Restart dovecot
- name: Compile sieve scripts
shell: sievec /var/vmail/.sieve/.{{ item|basename }}
with_items:
- move-spam.sieve
- report-spam.sieve
- report-ham.sieve
- name: Ensure learn scripts are executable
file: mode=0750 path=/var/vmail/.sieve/.{{ item }}
with_items:
- learn-spam.sh
- learn-ham.sh
- name: Configure logrotate for dovecot - name: Configure logrotate for dovecot
copy: src=logrotate.d/dovecot dest=/etc/logrotate.d/dovecot copy: src=logrotate.d/dovecot dest=/etc/logrotate.d/dovecot
@ -79,11 +122,6 @@
file: path=/etc/nginx/ssl/{{ mailman_domain }}.key owner=root mode=0400 file: path=/etc/nginx/ssl/{{ mailman_domain }}.key owner=root mode=0400
notify: Restart nginx notify: Restart nginx
- name: Configure policyd
copy: src={{ item }} dest=/etc/{{ item }}
with_items:
- postfix-policyd-spf-python/policyd-spf.conf
- name: Create postfix ssl directory - name: Create postfix ssl directory
file: path=/etc/postfix/ssl state=directory mode=0750 owner=postfix group=postfix file: path=/etc/postfix/ssl state=directory mode=0750 owner=postfix group=postfix
@ -116,32 +154,6 @@
file: path=/etc/postfix/ssl/{{ mail_server }}.key owner=postfix mode=0400 file: path=/etc/postfix/ssl/{{ mail_server }}.key owner=postfix mode=0400
notify: Restart postfix notify: Restart postfix
- name: Create razor directory structure
command: razor-admin -create chdir=/var/lib/amavis creates=/var/lib/amavis/.razor
become: yes
become_user: amavis
- name: Register razor
command: razor-admin -register chdir=/var/lib/amavis creates=/var/lib/amavis/.razor/identity
become: yes
become_user: amavis
- name: Download GPG key for Sought ruleset
get_url: url=http://yerp.org/rules/GPG.KEY dest=/etc/spamassassin/sought.key
- name: Import GPG key for Sought ruleset
become: yes
become_user: debian-spamd
shell: sa-update --gpghomedir /var/lib/spamassassin/sa-update-keys --import /etc/spamassassin/sought.key && touch sought.imported chdir=/var/lib/spamassassin creates=sought.imported
- name: Enable sa-update cron-job
cron: name=sa-update minute="0" hour="*/6" job="/usr/bin/sa-update -v --gpghomedir /var/lib/spamassassin/sa-update-keys --gpgkey 6C6191E3 --channel sought.rules.yerp.org --channel updates.spamassassin.org"
- name: Enable spamd cron-job
copy: src={{ item }} dest=/etc/{{ item }}
with_items:
- default/spamassassin
- name: Configure certificate manager - name: Configure certificate manager
template: src=certs.j2 dest=/etc/acertmgr/{{ mail_server }}_mail.conf template: src=certs.j2 dest=/etc/acertmgr/{{ mail_server }}_mail.conf
notify: Run acertmgr notify: Run acertmgr
@ -150,10 +162,6 @@
template: src=mailman/certs.j2 dest=/etc/acertmgr/{{ mailman_domain }}_mailman.conf template: src=mailman/certs.j2 dest=/etc/acertmgr/{{ mailman_domain }}_mailman.conf
notify: Run acertmgr notify: Run acertmgr
- name: Start amavis
service: name=amavis state=started enabled=yes
tags: mail
- name: Start dovecot - name: Start dovecot
service: name=dovecot state=started enabled=yes service: name=dovecot state=started enabled=yes
tags: mail tags: mail
@ -166,6 +174,10 @@
service: name=postfix state=started enabled=yes service: name=postfix state=started enabled=yes
tags: mail tags: mail
- name: Start postgrey - name: Start redis
service: name=postgrey state=started enabled=yes service: name=rspamd state=started enabled=yes
tags: mail
- name: Start rspamd
service: name=rspamd state=started enabled=yes
tags: mail tags: mail

View File

@ -1,27 +0,0 @@
use strict;
# You can modify this file to re-enable SPAM checking through spamassassin
# and to re-enable antivirus checking.
#
# Default antivirus checking mode
# Please note, that anti-virus checking is DISABLED by
# default.
# If You wish to enable it, please uncomment the following lines:
#@bypass_virus_checks_maps = (
# \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);
#
# Default SPAM checking mode
# Please note, that anti-spam checking is DISABLED by
# default.
# If You wish to enable it, please uncomment the following lines:
@bypass_spam_checks_maps = (
\%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);
1; # ensure a defined return

View File

@ -1,37 +0,0 @@
use strict;
#
# Place your configuration directives here. They will override those in
# earlier files.
#
# See /usr/share/doc/amavisd-new/ for documentation and examples of
# the directives you can use in this file
#
$remove_existing_spam_headers = 1;
$sa_tag_level_deflt = undef;
$sa_tag2_level_deflt = 5.0;
$sa_kill_level_deflt = $sa_tag2_level_deflt;
$sa_spam_subject_tag = undef;
$final_virus_destiny = D_PASS;
$final_banned_destiny = D_PASS;
$final_spam_destiny = D_PASS;
$final_bad_header_destiny = D_PASS;
$virus_admin = undef;
$virus_quarantine_to = undef;
$spam_quarantine_to = undef;
$X_HEADER_LINE = "$myproduct_name at $mydomain";
@local_domains_acl = ("{{ mail_domain }}"
{%- for domain in mail_domains %}
, "{{ domain }}"
{%- endfor %}
);
#------------ Do not modify anything below this line -------------
1; # ensure a defined return

View File

@ -108,7 +108,7 @@ scope = subtree
# There are also other special fields which can be returned, see # There are also other special fields which can be returned, see
# http://wiki2.dovecot.org/UserDatabase/ExtraFields # http://wiki2.dovecot.org/UserDatabase/ExtraFields
#user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid #user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid
user_attrs = user_attrs = uid=user
# Filter for user lookup. Some variables can be used (see # Filter for user lookup. Some variables can be used (see
# http://wiki2.dovecot.org/Variables for full list): # http://wiki2.dovecot.org/Variables for full list):
@ -116,7 +116,7 @@ user_attrs =
# %n - user part in user@domain, same as %u if there's no domain # %n - user part in user@domain, same as %u if there's no domain
# %d - domain part in user@domain, empty if user there's no domain # %d - domain part in user@domain, empty if user there's no domain
#user_filter = (&(objectClass=posixAccount)(uid=%u)) #user_filter = (&(objectClass=posixAccount)(uid=%u))
user_filter = (&(objectClass=posixAccount)(uid=%u)) user_filter = (&(objectClass=posixAccount)(uid=%n))
# Password checking attributes: # Password checking attributes:
# user: Virtual user name (user@domain), if you wish to change the # user: Virtual user name (user@domain), if you wish to change the
@ -124,7 +124,7 @@ user_filter = (&(objectClass=posixAccount)(uid=%u))
# password: Password, may optionally start with {type}, eg. {crypt} # password: Password, may optionally start with {type}, eg. {crypt}
# There are also other special fields which can be returned, see # There are also other special fields which can be returned, see
# http://wiki2.dovecot.org/PasswordDatabase/ExtraFields # http://wiki2.dovecot.org/PasswordDatabase/ExtraFields
#pass_attrs = uid=user,userPassword=password pass_attrs = uid=user
# If you wish to avoid two LDAP lookups (passdb + userdb), you can use # If you wish to avoid two LDAP lookups (passdb + userdb), you can use
# userdb prefetch instead of userdb ldap in dovecot.conf. In that case you'll # userdb prefetch instead of userdb ldap in dovecot.conf. In that case you'll
@ -135,6 +135,7 @@ user_filter = (&(objectClass=posixAccount)(uid=%u))
# Filter for password lookups # Filter for password lookups
#pass_filter = (&(objectClass=posixAccount)(uid=%u)) #pass_filter = (&(objectClass=posixAccount)(uid=%u))
pass_filter = (&(objectClass=posixAccount)(uid=%n))
# Attributes and filter to get a list of all users # Attributes and filter to get a list of all users
#iterate_attrs = uid=user #iterate_attrs = uid=user

View File

@ -15,6 +15,8 @@ mail_home = maildir:/var/vmail/%u
mail_uid = vmail mail_uid = vmail
mail_gid = vmail mail_gid = vmail
postmaster_address = postmaster@binary-kitchen.de
ssl = yes ssl = yes
ssl_cert = </etc/dovecot/ssl/{{ mail_server }}.crt ssl_cert = </etc/dovecot/ssl/{{ mail_server }}.crt
ssl_key = </etc/dovecot/ssl/{{ mail_server }}.key ssl_key = </etc/dovecot/ssl/{{ mail_server }}.key
@ -32,13 +34,19 @@ userdb {
} }
service auth { service auth {
unix_listener /var/spool/postfix/private/auth { unix_listener /var/spool/postfix/private/dovecot-auth {
mode = 0660 mode = 0660
user = postfix user = postfix
group = postfix group = postfix
} }
} }
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtpd {
group = postfix
mode = 0660
user = postfix
}
}
service imap-login { service imap-login {
inet_listener imap { inet_listener imap {
address = 0.0.0.0 :: address = 0.0.0.0 ::
@ -50,27 +58,32 @@ service imap-login {
} }
} }
service managesieve-login { protocols = "imap lmtp sieve"
inet_listener sieve {
address = 127.0.0.1 ::1
port = 2000
}
}
protocol lda {
mail_plugins = sieve
log_path = /var/log/dovecot/deliver.log
info_log_path = /var/log/dovecot/deliver.log
}
protocol imap { protocol imap {
mail_plugins = "imap_sieve"
mail_max_userip_connections = 50 mail_max_userip_connections = 50
} }
protocol lmtp {
mail_plugins = "sieve notify push_notification"
}
protocol lda {
mail_plugins = "sieve notify push_notification"
}
plugin { plugin {
sieve = ~/.dovecot.sieve imapsieve_mailbox1_before = file:/var/vmail/.sieve/.report-spam.sieve
sieve_before = /var/vmail/default.sieve imapsieve_mailbox1_causes = COPY
sieve_global_path = /var/vmail/default.sieve imapsieve_mailbox1_name = Junk
imapsieve_mailbox2_before = file:/var/vmail/.sieve/.report-ham.sieve
imapsieve_mailbox2_causes = COPY
imapsieve_mailbox2_from = Junk
imapsieve_mailbox2_name = *
sieve = /var/vmail/.sieve/%u.sieve
sieve_dir = /var/vmail/.sieve/%u
sieve_global = /var/mail/.sieve/.global
sieve_global_extensions = +vnd.dovecot.pipe
sieve_pipe_bin_dir = /var/vmail/.sieve
sieve_plugins = "sieve_imapsieve sieve_extprograms"
sieve_before = /var/mail/.sieve/.move-spam.sieve
} }
namespace inbox { namespace inbox {

View File

@ -1,37 +1,55 @@
# See /usr/share/postfix/main.cf.dist for a commented, more complete version # Uncomment soft_bounce for testing
#soft_bounce = yes
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) # Generic postfix parameters
compatibility_level = 2
smtpd_banner = $myhostname ESMTP $mail_name
biff = no biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no readme_directory = no
inet_interfaces = all inet_interfaces = all
inet_protocols = all inet_protocols = all
message_size_limit = 50000000 message_size_limit = 50000000
recipient_delimiter = + recipient_delimiter = +
unknown_local_recipient_reject_code = 550
mydomain = {{ mail_domain }} strict_rfc821_envelopes = yes
myhostname = {{ ansible_fqdn }} disable_vrfy_command = yes
myorigin = {{ ansible_fqdn }} smtpd_delay_reject = yes
mydestination = localhost.{{ mail_domain }}, localhost smtpd_helo_required = yes
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 {{ mail_trusted }}
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
relayhost = relayhost =
# TLS parameters # Postscreen (pre-greet only, rspamd does the rest)
postscreen_greet_banner = $myhostname ESMTP $mail_name
postscreen_greet_action = enforce
# Network parameters
mydomain = {{ mail_domain }}
myhostname = {{ ansible_fqdn }}
myorigin = $myhostname
mydestination = localhost.$mydomain, localhost
mynetworks =
127.0.0.0/8
[::ffff:127.0.0.0]/104
[::1]/128
{% for cidr in mail_trusted.split(' ') %}
{{ cidr }}
{% endfor %}
# Alias configuration
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
# Client TLS parameters
smtp_tls_security_level = may smtp_tls_security_level = may
smtp_tls_loglevel = 1 smtp_tls_loglevel = 1
smtp_tls_CApath = /etc/ssl/certs smtp_tls_CApath = /etc/ssl/certs
smtp_tls_cert_file=/etc/postfix/ssl/{{ mail_server }}.crt
smtp_tls_key_file=/etc/postfix/ssl/{{ mail_server }}.key
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_fingerprint_digest=sha256
# Server TLS parameters
smtpd_tls_cert_file=/etc/postfix/ssl/{{ mail_server }}.crt smtpd_tls_cert_file=/etc/postfix/ssl/{{ mail_server }}.crt
smtpd_tls_key_file=/etc/postfix/ssl/{{ mail_server }}.key smtpd_tls_key_file=/etc/postfix/ssl/{{ mail_server }}.key
smtpd_tls_CApath = /etc/ssl/certs smtpd_tls_CApath = /etc/ssl/certs
@ -39,50 +57,56 @@ smtpd_tls_security_level = may
smtpd_tls_auth_only = yes smtpd_tls_auth_only = yes
smtpd_tls_ciphers = medium smtpd_tls_ciphers = medium
smtpd_tls_received_header = yes smtpd_tls_received_header = yes
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_fingerprint_digest=sha256
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for # Submission SASL configuration
# information on enabling SSL in the smtp client.
smtpd_sasl_type = dovecot smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth smtpd_sasl_path = private/dovecot-auth
smtpd_sasl_auth_enable = yes smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous smtpd_sasl_security_options = noanonymous
smtpd_helo_restrictions = permit_mynetworks # SMTPd restrictions
warn_if_reject reject_non_fqdn_hostname smtpd_client_restrictions =
check_helo_access hash:/etc/postfix/helo_access permit_sasl_authenticated
#check_client_access cidr:/etc/postfix/client_access permit_mynetworks
reject_unknown_reverse_client_hostname
smtpd_recipient_restrictions = permit_mynetworks smtpd_sender_restrictions =
permit_sasl_authenticated reject_unknown_sender_domain
reject_unauth_destination reject_non_fqdn_sender
reject_rbl_client sbl.spamhaus.org permit_mynetworks
reject_rbl_client cbl.abuseat.org permit_tls_clientcerts
check_recipient_access hash:/etc/postfix/recipient_access permit_sasl_authenticated
reject_unauth_pipelining
reject_unauthenticated_sender_login_mismatch
reject_sender_login_mismatch
smtpd_data_restrictions = warn_if_reject reject_unauth_pipelining smtpd_recipient_restrictions =
reject_unknown_recipient_domain
reject_non_fqdn_recipient
permit_mynetworks
permit_tls_clientcerts
permit_sasl_authenticated
reject_unauth_destination
reject_unauth_pipelining
reject_unverified_recipient
smtpd_restriction_classes = greylisting # rspamd Milter setup
smtpd_milters = inet:localhost:11332
greylisting = check_policy_service unix:private/spfpolicy non_smtpd_milters = inet:localhost:11332
check_policy_service inet:127.0.0.1:10023 milter_default_action = accept
milter_protocol = 6
content_filter = amavis:[127.0.0.1]:10024
receive_override_options = no_address_mappings
# mailbox / forward definitions
virtual_mailbox_domains = {{ mail_domain }} virtual_mailbox_domains = {{ mail_domain }}
{%- for domain in mail_domains %} {% for domain in mail_domains %}
{{ domain }} {{ domain }}
{%- endfor %} {% endfor %}
virtual_mailbox_maps = ldap:/etc/postfix/ldap-virtual-maps.cf
virtual_alias_maps = hash:/etc/postfix/virtual-alias, ldap:/etc/postfix/ldap-aliases.cf virtual_alias_maps = hash:/etc/postfix/virtual-alias, ldap:/etc/postfix/ldap-aliases.cf
virtual_transport = lmtp:unix:private/dovecot-lmtpd
virtual_transport = dovecot unverified_recipient_reject_code = 550
dovecot_destination_recipient_limit = 1 unverified_recipient_reject_reason = Recipient unknown
# mailman # mailman
relay_domains = {{ mailman_domain }} relay_domains = {{ mailman_domain }}

View File

@ -9,12 +9,19 @@
# service type private unpriv chroot wakeup maxproc command + args # service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100) # (yes) (yes) (yes) (never) (100)
# ========================================================================== # ==========================================================================
smtp inet n - - - - smtpd #smtp inet n - - - - smtpd
#smtp inet n - - - 1 postscreen smtp inet n - - - 1 postscreen
#smtpd pass - - - - - smtpd smtpd pass - - - - - smtpd
#dnsblog unix - - - - 0 dnsblog dnsblog unix - - - - 0 dnsblog
#tlsproxy unix - - - - 0 tlsproxy tlsproxy unix - - - - 0 tlsproxy
submission inet n - - - - smtpd submission inet n - - - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_recipient=no
-o smtpd_recipient_restrictions=
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o { milter_macro_daemon_name = ORIGINATING }
# -o syslog_name=postfix/submission # -o syslog_name=postfix/submission
# -o smtpd_tls_security_level=encrypt # -o smtpd_tls_security_level=encrypt
# -o smtpd_sasl_auth_enable=yes # -o smtpd_sasl_auth_enable=yes
@ -24,7 +31,6 @@ submission inet n - - - - smtpd
# -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions= # -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject # -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#smtps inet n - - - - smtpd #smtps inet n - - - - smtpd
# -o syslog_name=postfix/smtps # -o syslog_name=postfix/smtps
# -o smtpd_tls_wrappermode=yes # -o smtpd_tls_wrappermode=yes
@ -120,29 +126,3 @@ scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman unix - n n - - pipe mailman unix - n n - - pipe
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user} flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user}
# dovecot
dovecot unix - n n - - pipe
flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/dovecot-lda -f ${sender} -d ${user} -m ${extension}
# amavis
amavis unix - - - - 2 smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
127.0.0.1:10025 inet n - - - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o strict_rfc821_envelopes=yes
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
# spf
spfpolicy unix - n n - 0 spawn
user=nobody argv=/usr/bin/policyd-spf /etc/postfix-policyd-spf-python/policyd-spf.conf

View File

@ -0,0 +1,6 @@
allow_username_mismatch = true;
sign_networks = [127.0.0.1, ::1, {{ mail_trusted }}];
check_pubkey = true;
try_fallback = false;
path = "/var/lib/rspamd/dkim/$domain.$selector.key";
selector_map = "/etc/rspamd/local.d/arc_selectors.map";

View File

@ -0,0 +1,6 @@
allow_username_mismatch = true;
sign_networks = [127.0.0.1, ::1, {{ mail_trusted }}];
check_pubkey = true;
try_fallback = false;
path = "/var/lib/rspamd/dkim/$domain.$selector.key";
selector_map = "/etc/rspamd/local.d/dkim_selectors.map";

View File

@ -0,0 +1 @@
local_addrs = [127.0.0.1, ::1, {{ mail_trusted }}];